Hacker News new | past | comments | ask | show | jobs | submit login
D-Link says it won't patch 60k older modems (techradar.com)
267 points by lobo_tuerto 6 days ago | hide | past | favorite | 169 comments





Here's an article for those who'd rather read than watch someone's youtube video:

https://www.techradar.com/pro/security/d-link-says-it-wont-p...

Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different


Ok, we've changed to that from https://www.youtube.com/watch?v=52v6gKPA4TM above. Thanks!

> Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different

Except for unmanaged switches. These little D-Link unmanaged switches are little workhorses: I've got several so old I don't remember when I bought them. I take it D-Link didn't manage to fuck up even unmanaged switch?

But seen their approach to security, I probably won't buy D-Link again.


I think they actually did manage to fuck up even the small unmanaged switches. I have three unmanaged switches at home, one on the ground floor and two in the first floor. Ground floor is an 8 port netgear, first floor are one to link and one d link.

Every couple of weeks, the entire wired network goes down. Not even pinging adresses works. The d links ports leds are all flashing (perfectly in sync!) until I power cycle it. Then everything goes back to normal.

I have no idea what happens, and I should probably replace the d link soon.


Are you aware about broadcast storms? Perhaps you somehow accidentally introduced a loop in the network? The symptoms fit that exactly. https://en.wikipedia.org/wiki/Broadcast_storm

STP is meant to prevent that. https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

Of course you can't set up STP with unmanaged switches, so until you go managed and set up STP properly nothing will change.


It could be missing IGMP Snooping Protocol support in a network with IPTV or custom VLAN setups. There are 3 versions (IGMP snooping (v1, v2, and v3)), managed switches have them all, unmanaged usually don't have them. To avoid problems, only pass a single VLAN to the unmanaged switch (it must be behind the managed switch for that), otherwise the unmanaged switch can and usually will bring a network down after some time. Or just use a switch with IGMP snooping support.

I was not! Thanks for the hint!

Although I'm 100% sure there are no loops, I haven't changed the actual cable layout in ages.


If the D-link has a wall wart which you could easily replace, try that. (And maybe a real surge strip, if you've got one handy.) Iffy power can cause all sorts of bizarre behavior.

I have a couple of TP-Link unmanaged 4 port SOHO switches. They're pretty reliable so far.

The TP Link (typo in my other post) and the Netgear are reliable, only the D Link causes issues.


I haven't enabled jumbo frames knowingly on my system, but even if I had, why would the issue occur only every few weeks? Also, it seems to be rather independent of the actual network load.

A friend had networked speakers that would freeze until a manual reboot time to time. It turned out to be the Linux running within the speakers that crashed on the occasional jumbo frame.

DLink were for me one of the least reliable small unmanaged switches I tried over the years. Out of those I have had (I have about 7 in the house, they get replaced when one dies), there was DLink, Linksys, HP, Netgear and TP-Link, the TP-Links are by far the most reliable in so much as I have never had one die, and now all my switches are TP-Link as all of the others gave up the gost.

The first 8-port 10G TP-Link switch I got died within a few weeks. I think its power supply fried. It's replacement has been rock solid since for the last year and change now, fortunately!

> I take it D-Link didn't manage to fuck up even unmanaged switch?

I'd hope not. I haven't seen it yet at least.


The Netgear GS series is king. Metal case 5,8,16 port gigabit unmanaged switches. Runs forever.

Those blue metal Netgear switches are the only Netgear products I buy (after they burned me with their crappy routers back in the 802.11G era to the point I went full Office Space on one).

This isn’t snark, but I didn’t think DLink was really a player anymore. Did they pivot? It used to be (like 20 years ago) they were like the #3 consumer brand after Linksys and Netgear. Now, it seems like the players are Eero, ASUS, Netgear, Linksys, TP-Link, Google. I haven’t even seen a DLink product in a store (online or not) or in the wild, in a decade.

Edit: checked their site: apparently they are still in the game, I guess just nobody buys them


I remember them always being the cheap budget option - assuming that's still the case

100% agree, I only dealt with them at somebody else’s house when they had cheaped out.

Only thing I liked about them is that they had “emulators” on their website which would let you see a dummy version of the UI of any router, which was invaluable for someone doing informal remote IT since you could walk someone through configuring it by knowing exactly what the config pages looked like. Useful especially since remote screen sharing was tougher 15 years ago.


Another 60,000 devices ripe for malicious entities to use in their botnet.

> Another 60,000 devices ripe for malicious entities to use in their botnet.

Right, my immediate reaction after reading the title was that D-Link might not patch their hardware, but others certainly will.


Speaking of things others could do:

Dlink competitors should use this in their marketing.


How much of Dlink's target market would both understand and care?

I think, thankfully, that the average user is increasingly aware of these kinds of problems, and hopefully the era of companies being this irresponsible is starting to come to an end.

Anecdotally, my elderly parents have asked me questions about ransomware and "our house getting hacked" because of segments they've seen on the mainstream nightly news. So the awareness is out there..


Is it any easier than the millions of IP cameras, DVRs and WAN accessible modems and routers (from other manufacturers, particularly from China or South America)?

If anyone is looking for alternatives as far as long term supported products go... I've had nothing but good experiences with Ubiquiti (Unifi) and OpenWRT. At the lower end of the price spectrum, OpenWRT supported devices can be an incredible value, and most will probably remain supported for decades to come.

More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.


> At the lower end of the price spectrum, OpenWRT supported devices [...] will probably remain supported for decades to come.

Not really. Each newer OpenWRT release needs slightly more storage and memory than the previous one, and these devices at the lower end of the price spectrum tend to have as little storage and memory as they can get away with. Older devices with as little as 4 MB of storage and/or 32 MB of memory are already unable to run current OpenWRT releases, and devices with 8 MB of storage and/or 64 MB of memory are already on the way out. But yeah, other than that OpenWRT does tend to support devices way past their original EOL.


Counterpoint: The original "Google Wi-Fi" Mesh routers (the hockey puck looking ones) from about 10~ years ago come with *4GB* of storage and 512MB of RAM [1]

[1] https://openwrt.org/toh/google/wifi

They're about $30-$50 USD for a 3 pack on eBay


It's not just those. The 16 MB storage/128 MB flash recommended minimums are a non-issue for pretty much any remotely popular router in the 802.11ac wifi era, and I doubt OpenWRT will suddenly explode in size and blow past those limits any time soon (just look at its trajectory over the past decade).

Oh wow, are those OpenWRT compatible?? I’ve been out of the game since having a WRT54GL with Tomato, so pardon my ignorance

Why did Google spec them so heavy?

The storage is eMMC, basically the cheapest thing available once you've committed. You'd have to actively try to buy eMMC smaller than 2-4GB. Same for the RAM, that's a single chip. It's not a heavy spec, just somewhere near the bottom of the cost curve for those particular parts.

They probably used similar parts in another product and threw them into the routers for the additional order volume, known bring-up risk, and dev benefits. The pixel series also uses Samsung eMMC, iirc.


They probably budgeted a dollar for storage and a dollar for ram, or close to it.

Sometimes it's nice to be able to run a normal OS.


Note that the limit only applies to base OpenWRT installation. I have successfully configured my ancient router to boot from the router's USB storage (64gig flash drive)

I disagree with your sentiment. I think the routers openwrt has dropped support for are super low spec, like $20. And they still run older versions of openwrt.

You could probably also just run openwrt with out a gui and probably do fine.

Additionally, I like that openwrt works on higher end boxes now, like the zyxel gs1900 12, 24 and 48-port switches.


Regarding supporting devices long-term, I can still get current version official OpenWrt for the Netgear WNDR3700v2, which I think is about 15 years old at this point.

https://firmware-selector.openwrt.org/?version=23.05.5&targe...

https://openwrt.org/toh/netgear/wndr3700

I always try to find out what's one of the best-supported OpenWrt routers at the time I'm shopping. And can I get one (or a few) of them on eBay at great prices.

WRT54-GL, WNDR3700(v2,v4) and WNDR3800, Netgear R7800.

I also have an OPNsense box that I'm evaluating. But, since OPNsense (FreeBSD) isn't strong on WiFi, I'd need to pair it with separate WiFi APs (running OpenWrt). I'm not liking the extra complexity, when an OpenWrt R7800 still does everything I really need right now.


> WRT54-GL, WNDR3700(v2,v4) and WNDR3800, Netgear R7800.

The WRT54-GL stands out, while having a really long support life it's also just FE, 10/100Mbps. The others are gigabit Ethernet. Could possibly be replaced from the list by the D-Link DIR-825 (N, not AC) which is also at the same support level as the Netgear WNDR3700v2.


I think OpenWRT is the right approach at this point. Open source really excels where there is a 'commons.' We all have a shared interest in secure networks. Commercialized gate keeping of router firmware doesn't make sense. These manufactures should just switch to OpenWRT and skin it.

> These manufactures should just switch to OpenWRT and skin it.

Take a look at Teltonika, that's basically what they do, but with nice over-provisioned hardware. Comes with the "industrial" price tag, but theirs is the most rock solid network gear I've ever used, and you actually receive frequent router and modem firmware updates.

I have one of their RUTX50 (5G LTE modem/router) at home and get about ~550 Mbit's through it, best internet I've ever had. I've never been forced to reboot it. I tried some consumer 5G modems before that and they were a total waste of money. I've also used their non LTE gear elsewhere and it's the same pleasant experience, and naturally highly configurable due to OpenWRT without having to hack around.


OpenBSD also works great for such things.

Anyone have any OPNSense budget hardware recommendations?

N100 is an excellent chip to go for. I'm currently using a aliexpress special with a celeron n5105 chipset in it.. it works fine as well, but I'd opt for the N100 next time if I had to replace it.

Celeron N5105

CPU: Intel Jasper Lake Celeron Processor N5105, 4 core 4 threads,64 bit, 10nm, 2.0GHz up to 2.9GHz, 4M cache

GPU: Intel UHD Graphics GPU, 24EU, 450MHz up to 800MHz

vs

Alder Lake N100

CPU: Intel Alder Lake Processor N100, 4 core 4 threads,64 bit, 10nm, Up to 3.4GHz, 6M cache

GPU: Intel UHD Graphics GPU, 24EU, Up to 750MHz

I bought a N100 model to run as my backup server (PBS etc) and its a cracker. Debian is so snappy on it.


Also running OPNSense (in a VM) on an N5105 from an AliExpress mini box, with four Ethernet ports. Thing gets hot though, passively cooled, but I put a fan on top of it.

Also runs another VM with some lightweight docker containers. Reliable little thing.

Would also go N100 if needed replacement.



Just to clarify, OPNsense is based on FreeBSD[0], not OpenBSD. But OpenBSD does indeed make a good router/firewall OS as mentioned by GP. :)

[0] https://opnsense.org/about/about-opnsense/


What performance are you looking for alternatively what's you (power) budget?

MikroTik also has a number of cheap devices and I have several of their "discontinued" products that are over a decade old that I'm still updating.

Their releases aren't really for _a_ device, but for a CPU architecture/chipset, so I don't know that I've actually run across any device that went unsupported before I replaced it anyway for reasons of wanting faster networking (i.e., 10/100 -> 1000; 802.11bgn -> 802.11n -> 802.11ac).

Many of them are also supported by OpenWRT.


The vulnerabilities impact modem products rather than router products. If you have one of these modems, you'll need to replace the modem functionality with another modem. You can, however, place an OpenWrt router/firewall on your LAN side just past the modem.

opnsense also has hardware options.

This is something the EU Product Liability Directive potentially addresses. It demands that vendors (or importers) of products need to update their product if that's required to keep them secure. Otherwise they are liable for damages, even psychological damages.

There is no specific duration mentioned in the directive, so it's probably best from a vendor point of view to add product lifetime info to the product description or the contract, up front.

In Germany there is something similar in place, already and the expectation is that products (and necessary apps to run the products) need to be updated for 5 years on average.


> There is no specific duration mentioned in the directive

The directive has explicit 10 year expiry period, see (57)

> Given that products age over time and that higher safety standards are developed as the state of science and technology progresses, it would not be reasonable to make manufacturers liable for an unlimited period of time for the defectiveness of their products. Therefore, liability should be subject to a reasonable length of time, namely 10 years from the placing on the market or putting into service of a product (the ‘expiry period’), without prejudice to claims pending in legal proceedings.

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...


That D-Link DSL6740C device was released in 2014. It's well past lifetime. I am not sure about PLD, but CRA is only for lifetime or ~5 year.

> When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.


The 5 year clock should start from the last time a consumer purchased the product new, though. I can't find anything concrete but some poking around on wayback machine indicates it was likely discontinued late 2018. Which probably still means they are in the clear in this instance even if you assume it takes a year for the inventory in the channel to sell through.

> The 5 year clock should start from the last time a consumer purchased the product new...

Obvious problem - how could the manufacturer determine (let alone control) when, literally, that happened? They might tell when their major distributors and online retailers ran out of stock...but small distributors and bottom-feeding resellers and mom-and-pop retail? Impossible.

On-package labeling ("Software security updates for this thingie will be available until at least Dec. 31, 2029; also check our web site at https://support...") would be the only fool-proofish method.


I think on-package labelling is a good approach. You could also make the retailer liable for a lack of updates - just as they typically already are with defective products in most jurisdictions.

Yeah, this isn’t that different than the food “best by date” requirements, and in most cases (despite popular belief) the likely consequences of eating old packaged food is not even getting sick, just staleness. Arguably, having exploitable electronics that are “expired” is a greater danger.

The manufacturer can't control or even predict purchase dates, so that leaves potentially unbounded support lifetimes. I'd be comfortable with the 10-year timer starting from date of last manufacturer though

If this works like a warranty, the manufacturer can stop 10 years after selling to the shop. The shop is the one providing the warranty to the user. The shop can oblige their warranty by replacing with a (more recent) equivalent model, even from another manufacturer.

Background on the underlying context of the bug: https://www.youtube.com/watch?v=-vpGswuYVg8 -- It's objectively unforgivable.

TL;DW:

Call GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27

account_mgr.cgi is safe, it takes web parameters "name", "pw" and calls the equivalent of

    execlp(..., "account", "-u", name, "-p", pw);
"account" was written by the intern and runs

    sprintf(buf, "adduser \"%s\" -p \"%s\" >/dev/null", opt_u, opt_p);
    system(buf);

Never mind the actual mistake "the intern" made.

Not only was "the intern" tapped to write code that accepts user input from HTTP and also use system administration shell commands - and use C to do raw string handling, for that matter; who knows if `buf` is properly allocated? - but there was either no review/oversight or nobody saw the problem. Plus there are two layers of invoking a new program where surely one would suffice; and it's obviously done in a different way each time. Even programmers who have never used Linux and know nothing about its shells or core utilities, should be raising an eyebrow at that.

Meanwhile, people want to use AI to generate boilerplate so that their own company's "the intern" can feel like a "10x developer" (or managers can delude themselves that they found one).


That’s insane.

It's also wrong. If the C code presented is accurate the URL would have to contain &name=%22;shell-command-to-run;%22, or perhaps &name=$(shell-command-to-run). name=%27;shell-command-to-run%27 is mostly harmless.

That's nit-picky I know, but when some dude on the internet is trying to get clicks via manufactured rage at incompetent programmers, it's kinda ironic his code is buggy too.


Don't shoot the messenger. This is from the people who discovered it:

https://netsecfish.notion.site/Command-Injection-Vulnerabili...

> The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution.

> /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27

I know, I know, that would mean the exact command run, based on the reversed code shown on screen at https://youtu.be/-vpGswuYVg8?t=656 would be

    adduser -u "';<INJECTED_SHELL_COMMAND>;'" -p "" >/dev/null
which would be harmless, so clearly if the PoC says %27 then the real format string must be more like "adduser -u '%s' ...". Maybe the Youtuber reversed the wrong firmware. But nonetheless, the point is gotten across.

I've had a box of old wifi-routers for years that I'd been meaning to reverse engineer and write up blog posts on the vulnerabilities to educate people on just how poor quality the software is written for the things you buy in your local electronics store. Every 3-4 years I'd have to buy another because the manufacturer stopped providing updates, even when I was buying their higher-end stuff.

I myself moved on to an Ubiquiti Edge Router almost 10 years ago, but Ubiquiti didn't do a great job of that in the long term and they ditched the EdgeRouter/EdgeMAX line so I ended up (and I wasn't interested in Unifi line for my router/firewall) buying a Protectli box, flashed coreboot and used pfSense for a while before eventually moving to OPNSense.

I came to the conclusion over this time that any consumer network equipment is basically junk and if you care at all about security you shouldn't use it; sadly that's easier said than done for non-techy folks.

Many pieces of older/cheaper hardware can be flashed with OpenWRT and I'd recommend that as the cheapest option for anyone who cares just a little, and doesn't want to buy new hardware, and for everyone who really wants to make an effort should buy some hardware that can run a properly maintained router OS like pfSense or OPNSense, even an all-in-one wifi-router-switch if you don't want to build out an entire SMB network.


Yeah Ubiquiti used to be great before they went the other way. Now Mikrotik is the new hotness.

I've been looking at some of the Mikrotik releases; I'll almost certainly be going Mikrotik when I get around to upgrading my home network to 10Gb, I'm just looking out for new APs and will probably replace them all at once.

Current using Unifi AP-AC Pros and Unifi 6 Pro around the house, but I keep having to move them around because the (newer) U6 Pro has atrocious range on both 2.4GHz and 5GHz compared to the AP-AC-Pro and my wife is getting annoyed at the poor WiFi signal on the living room TV (constant buffering), so I put the AP-AC-Pro back and it's better for the TV but slower for everything else.

Not sure if there's a better Unifi AP I can get for this part of the house or if I need to switch everything out as don't want to mix AP manufacturers/management tools.


Give me ethernet or give me death. I have a couple MikroTik RBcAPGi-5acD2nD-US cAPs connected to a couple CRS312 10gb switches connected via a XS+DA0001 cable to my RB5009UG router, which is connected to a 2.5gb modem. I don't put a lot of stress on my wifi, since I don't think I've ever seen a WiFi network I'm truly happy with outside a Google office, but these have served me well enough. Mikrotik has a newer v6 ax AP and they're easy to deploy once you figure out how. That might help you, since the solution to your problem might simply be having more.

Best thing about Mikrotik though is they've got this incredible management program called WinBox64.exe which is a 2.2mb single-file dependency-free executable that needn't be installed. It's super lightweight. Like they coded it without any frameworks. It feels like being back in the circa 2000 golden age of Windows, and the GUI is so rich and powerful and dense that it makes your desktop look like a hacker movie to normies who happen to be looking over your shoulder.


> Give me ethernet or give me death

This is pretty much where I'm at. I went from having a fully wired home to moving into a larger, solid-brick home, since then, I've had to rely on adding APs to get coverage to certain critical points, because otherwise I need to do extensive work to run cables; there's nowhere to hide them in solid-wall houses other than to tear holes into the walls and bury them there; my wife won't settle for trunking all over the show.

I do need more APs, particularly in the upstairs, but the one that affects the TV shouldn't be a quantity issue; it resides on the ceiling, directly above the door to the living room, the TV is on the opposite side of the living room to the door, about 5 meters away. I suspect the couple of feet wide area of bricks about 8 inches thick is attenuating the signal from the U6 Pro enough to make it unusable for the TV, despite the wide open door frame directly below, while the AP-AC-Pro manages just fine. The reason I don't just add an AP _in_ the living room, is the same that I don't just run ethernet, which is that it's a challenge without doing lots of damage and thus remedial work to get the cables there.

I fully intend to run ethernet there, and everywhere else when I can, but we recently redecorated everywhere after we moved in, so my wife might just kill me if I do it now; and we're back to square one, death.

> Best thing about Mikrotik though is they've got this incredible management program...

That's amusing, hopefully I'll get to check it out if it can run under WINE, 2000 really was the golden age of Windows and I haven't run it since, every PC, laptop, server, etc in this house runs Linux or *BSD.


Or well… if you have one of these models, this is the way.

https://openwrt.org/toh/d-link/start


I didn't find most of the affected models there, and for these which I did, pages are full of warnings like that OpenWrt support is obsolete since 2022 and/or that 4 MB of flash and 32 MB of RAM is not enough to do anything useful

Look I am just being grumpy about this and I know it has nothing really substantive to do with the underlying story, which is D-Link EOL'ing products, but: there is really no such thing as a "9.8" or "9.2" vulnerability; there is more actual science in Pitchfork's 0.0-10.0 scale than there is in CVSS.

What is this Pitchfork scale? Is it an actual one, searching didn't return any useful results.

It's a music review site.


It's a shame that MikroTik routers' UI is completely unsuitable for non-powerusers.

Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.



They've been trying lately though, you can supposedly set one up for a basic pppoe and dhcp scenario using the Mikrotik phone app and they have a Back To Home wireguard VPN setup app

I dunno its pretty basic. It has lots of options but users only need to be guided to quick setup or a few other places.

Wasteful choice enabled by not being entirely responsible for pollution, energy consumption and trash. If they had to pay for environmental full restoration, energy at full cost and careful disposal of unsuitable hardware decision would have been different.

IMHO once devices are EOL'd the company should be legally required to release the source code for them.

I like this. But i also assume parts of the stack are going to be reused in newer models as well, so this is probably going to be a blocker for them accepting it.

If it's reused without much changes, why not make it available for older hardware?

If it changed enough it won't matter.


I'd settle for not getting sued when I try to jailbreak it.

To be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.

Same as the NPM warnings. It’s always screaming that there are a billion super critical vulnerabilities, but when I look in to them it ends up being stuff like “if you put a malicious regex in to your own config file, your js linter will get stuck”

This is a command injection through a basic GET giving instant root access. Definitely worth a high score. These days I'm pretty sure browsers won't let you put a private IP in an <img> URL anymore but for the past 10-13 years there have definitely been browsers where visiting a web page is all you needed to do to get your NAS hooked up to a botnet.

Agreed (having read up properly), hence my other reply (https://news.ycombinator.com/item?id=42252807). But a headline that succinctly and accurately explains a worst-case scenario would be much better than one that just points at a CVE score. (The submission has since been re-titled according to a less clickbaity source.)

I'm pretty sure a 9.8 CVE for something connected directly to WAN is a very bad thing.

The point is that the title puts the number up there to sensationalize. It doesn't concretely explain the scope or magnitude of the vulnerability.

The 9.8 CVE was for their NAS. Exposing any NAS directly to the open Internet is a Bad Idea.

For that matter, nearly every shit-tier NAS vendor (WD, QNAP) has had some critical remote vulnerability in recent years. Some were notable for mass data loss incidents.

That aside, these companies are all very good at making very, very nice hardware at a price point consumers can afford. Some corners have to be cut and it's often software.

The dirty secret is many Internet of Shit device vendors outsource the software development, often to the lowest bidder in some offshore sweatshop. In some cases it's just a repackage of an ODM design from some no-name company in Shenzhen.

None of which are known for secure coding or good software practices.

Criticize all you want but this is a textbook example of getting what you paid for.

It's unreasonable to pay $100 for a D-Link box and expect it's Cisco ASA quality with free indefinite support.

Cisco, Juniper, and Palo Alto would all tell you to pound sand if you expect support after EOL or if you let your maintenance contract (aka protection racket) lapse.


Ok I get it, but if anything, people pay way less attention to security than they should. So I personally don't mind. I would prefer living in a world where people spend too much time caring for security

The problem is the way those specifics are handled. The Complexity metric is intended to handle the "specific configuration required" scenario but nobody is really incentivized to properly score their stuff.

Most "Critical" thing is: you buy a new router that is not from Duh-Link.

I remember this happened before, and someone smarter than me exploited the vulnerability to access every router and patch it remotely.

how about this: you can only abandon hardware if you enable open firmware on it.

Related:

D-Link tells users to trash old VPN routers over bug too dangerous to identify

https://news.ycombinator.com/item?id=42201639


Just opensource the firmware and redirect the update url.

That doesn't set a good precedent though. The community shouldn't be expected to carry every IoT device.

Maybe not, but it'd be nice to have the option. Wouldn't it?

If you as a user want third-party firmware usually you can jailbreak and install it yourself (especially if the original firmware has zero security). If we allow a vendor to choose to make "the community" responsible for their firmware, almost every vendor will choose that as quickly as possible (e.g. one year).

That's why in sane countries there is jurisdiction to deal with that.

If you leave capitalism unchecked it will fuck you as hard as any other system.


This assumes that vendors have IP rights to open source the firmware, which seems unlikely. Presumably there are third party commercial components they don't have rights to publish.

A rule like this essentially forbids closed source software. (Which, hey, might be a good thing... but then just mandate that directly and outlaw closed source software licensing.)


Can't there be a law that says something like "you can't release new hardware while you have unpatched older hardware still in use"? Recall or update your stuff first, release new things second.

simpler. Just open up the firmware when EOL. So a 3rd party can patch it.

Stop e-waste and planned obsolcence.

If you fear loosing sales on new HW, make it significantly better.


> Just open up the firmware ...

Two major issues:

- "a 3rd party can patch it" != "a competent and non-malicious 3rd party will bother to patch it in a timely manner". Let alone "Joe User will search for, find, correctly identify, and install that saintly-3rd-party patch". At best, this would modestly reduce e-waste & obsolescence.

- Outside of maybe Apple, nobody selling little network products is designing their own silicon, or even has authority over all the IP in them. The latter is often locked down by a web of (international) supplier contracts. Trying to force retroactive changes to such contracts, at scale, could become a 1,000-lawyer disaster.


It's not without challenges but we need to want it. Apple or whatever will never make it easy just from the goodness of their hearts.

Consider Asahi linux with their years long efforts to make it possible to use something else as an OS on the Mac. Or something like broadcom drivers that's now practically a meme.

If I "buy" something it shouldn't come a blackbox inside.


Well, the only way is the usb-c way. Via regulation.

Yes there will be resistance. There will be foul play. But tectonic shifts will happen over time. And the ecosystem will evolve and thrive.

Not every product will be supported by 3rd parties. But it would open a market, often smaller and local actors.

If it raise only a handful of hobbyist learning opportunities, i already call it a win.


Yes, that would be better. I have a drawer full of old iPhone and Mac devices that are practically blobs of ewaste because their OS doesn't update.

It would be nice.

Though, as a life-long Android user, I've been jealously looking at how long apple have actually been supporting their iPhones (at least since the iPhone 6) and I'm seriously considering switching.

The 6S, 7, 8 all got feature updates for 7 years, and are still getting security updates after 9 years. The iPhone XS is still getting feature updates after 6 years. On Android, you are lucky to get 3 years of feature updates and 5 years of security updates.


Google do seem to be improving here, with 7 years of support for Pixel 8 and 9, and 5 years for Pixel 6 and 7. Earlier models got 3 years which was barely acceptable.

The European Union has the Cyber Resilience Act, which will most likely become effective / mandatory by the end of 2027.

https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act

Skimming the regulation text, it seems it requires the manufacturer of a connected device to report on and quickly fix vulnerabilities within the device's "support period". The support period for device classes still has to be determined, but it seems it is a vital requirement for a device to get a CE certification (without which it otherwise is not allowed to be put on the EU market).


These devices were produced back on 2011 I believe. Even with the CRA, I don't think much would change. A decade is definitely the high end of reasonable required software support for cheap budget NASes in my opinion. Of course stores would be forced to stop selling any remaining stock of them, but I doubt that's much of a problem, really.

How would that be defined? What about low CVEs? Does that mean a company cant release a keyboard while theres unpatched network switches? What about devices that are hybrid like no releasing DSL modems but what if it has an integrated switch? Does that mean no switches too? Whos going to enforce this? I cant see a way this would't be turned into a "game the system" and wouldn't solve the unpatched product problem at all.

One of the reasons why there are major security f-ups: no accountability and no consequences

D-Link says buy a new router after vulnerability emerges after the signposted end of support date.

Having experienced D-link products first hand I’d say that anyone with a D-link product should buy something else anyway.

Something that supports OpenWRT.

I don’t think there’s much overlap between “people who run OpenWRT” and “people who use EOL D-Link routers”

Wouldn't the overlap between “people who run OpenWRT” and “people who use EOL D-Link routers” be "people who run OpenWRT on EOL D-Link routers"? The table of supported hardware at the OpenWRT site lists several D-Link models which can run the latest OpenWRT release, and several of them are marked as "discontinued" (that is, no longer sold), a few of them even being in that status for more than five years.

I don't know, I've installed openwrt on each device I've owned especially because their original firmware wasn't supported anymore (or crap to begin with).

Often because the cheap devices were either all I could afford or because I've even gotten them for free or basically free, like on flea markets.


I see a lot of comments here recommending OpenWRT. I’ve been happy with it in some deployments, but also don’t overlook the alternatives! I just had a wonderful experience with Fresh Tomato repurposing an integrated router / AP / 4-port switch as a multi-WAN router.

It would have been doable with OpenWRT’s robust scripting support, but was just a few clicks in the UI with Fresh Tomato.

https://freshtomato.org/

https://en.m.wikipedia.org/wiki/Tomato_(firmware)


The D-Link DSR-150 was released in 2012

It was the first information I wanted to know, but it wasn't in the article.


Not downplaying the risks, but could a vulnerability on a d-link router really let you monitor traffic on the device in a practical sense (as mentioned in the video)? Assuming it is non-SSL is there enough computing power to even do any meaningful monitoring and subsequent exfiltration? Or are the SOCs used on them powerful enough these days.

It’s powerful enough to mitm traffic if you get someone to install a certificate, and it can easily pass packets where ever the attacker wants.

This is also true of every intermediate router between you and the destination.

TLS would not need to exist otherwise.


Most intermediate routers don't have easily exploitable holes allowing attackers to take them over to MITM traffic though...

I thought most internet routers in the US at least were pwned by the NSA. :D

Reminds me of a Dan Greer talk he gave at NSA from 2014 http://geer.tinho.net/geer.nsa.26iii14.txt

the basic gist is in the event of a cyberwar you could brick millions of peoples routers and their only natural solution would be to go to BestBuy to get a new one... which almost certainly is running a 4-5yr old linux/firmware version that is equally vulnerable. Of course this requires some remote access or lateral entry from other systems on the network, but it's an interesting thought experiment regardless.


> the basic gist is in the event of a cyberwar you could brick millions of peoples routers [...] but it's an interesting thought experiment regardless.

I think this is already way past "thought experiment". In the day of the 2022 invasion of Ukraine by Russia, thousands of satellite modems were deliberately bricked.


and https://en.wikipedia.org/wiki/VPNFilter

The lack of major cyber wins in the invasion of Ukraine is still very surprising though. Maybe holding their cards for something big (something they didn't expect to win in "3 days"), or US really helped prepare Ukraine, or it's harder than it sounds :)


Yes they do. It's called BGP.

True I was thinking of packet analysis being intensive but simpler MITM/splitting it outbound makes senses.

Ransomware and bricking would probably be the primary risk though. And security cams, NAS, printers, etc.


The major worry for these devices for me is someone using my network connection for nefarious uses. I suspect many of the “get a residential IP for your crawler” services actually use hacked IOT devices.

„Just buy a new modem“ they say … sure won’t be a D-Link ever again.

Any good router access point that has nice gigabit Ethernet and really good WiFi, for a second access point in the house?

I could see them facing criminal liability here. Someone is having hard conversations with their insurance company.

Discussion around this seems very confused; there are quite a few severe vulnerabilities this year in various products (routers and NASes).

https://nvd.nist.gov/vuln/detail/CVE-2024-3273 https://supportannouncement.us.dlink.com/security/publicatio... (April 4) affects NASes (DNS-* products, same as one of the November vulnerabilities), no fix, official recommendation "buy a new one".

https://nvd.nist.gov/vuln/detail/CVE-2024-45694 https://supportannouncement.us.dlink.com/security/publicatio... (September 16) affects routers (DIR-* products), fix by upgrading frimware

https://nvd.nist.gov/vuln/detail/CVE-2024-10914 https://supportannouncement.us.dlink.com/security/publicatio... (November 6) affects NASes (DNS-* products), no fix, official recommendation "buy a new one" (despite not selling NASes anymore?).

CVE-2024-10915 looks to be identical to CVE-2024-10914 at a glance

https://nvd.nist.gov/vuln/detail/CVE-2024-11066 https://supportannouncement.us.dlink.com/security/publicatio... (November 11) affects routers (DSL* products), no fix, official recommendation "buy a new one". Note that you need to look at multiple CVEs to get the full picture here.

(no CVE?) https://supportannouncement.us.dlink.com/security/publicatio... (November 18) affects routers (DSR-* products), no fix, official recommendation "buy a new one".

(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)


Yeah, this doesn't surprise me one bit. The number of vulns that get patched in home routers is staggering (D-Link is particularly shit-tier and known for this.) If there's that many vulns being fixed then imagine the backlog of unfixed vulns... Then imagine how many legitimate issues have to be hand-waved away because engineers know there's no way in hell they'll ever get the time to fix them. And have to prioritize the worst problems.

It kind of surprises me that you can just release a commercial product that is dangerous, make tons of money from it, then totally refuse to fix any problems with it. These devices are going to sit on innocent peoples networks who deserve to have privacy and security like anyone else. It's not outside the realm of possibly that an owned device leads to crypto extortion which leads to a business going under. Or maybe someone's intimate pics get stolen and that person then... yeah. Security has a human cost when its done badly.


Huh I recently retired all my Dlink routers as soon as they stopped getting security updates, lucky me.

Just curious how old they were. Nothing in the article mentions of these were 2 year old routers or 10 years old

Like 2010-2012

I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.

You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?


> You knew your device was no longer supported and would no longer receive security updates

I'm less confident that this is true. I think I know what the EOL is for all my networking equipment[0], you probably know the EOLs on your networking equipment, but I would wager that a majority of the population very understandably regards these things as appliances that you buy, plug in, and then it works indefinitely, and they do not in fact have any clue when the vendor will decide to stop providing security patches for it.

[0] Actually, now that I think about it no I don't; I was thinking of the core bits that I control, but the edge of my network is an ISP-provided box that I know essentially nothing about. Given that I don't manage it, I hope my ISP will send me a new one when it hits EOL but I don't know that.


As an adult paying for your ISP service: you have some responsibility here. Whether you want that responsibility or not.

you are on HN so this makes sense to you. imagine your car was hacked while driving your family in the middle of the desert and bricked. as an adult that bought the car is this your responsibility that you endangered your family’s well-being?

A legally binding as well as moral yes. If you drive a 2000 pound death machine, know how it can kill you. The idea that you are somehow not culpable in the situation you've given is baffling. Of course you are.

you should delete this comment :)

nah, people who know that cars kill a _whole_ bunch of people each year, and believe that car ownership should come with full responsibility by the owner when it comes to whether their computer-on-wheels is compromised or not are just as free to post to HN as people who think that that's not the car owner's responsibility. If you have car with remote shutoff/control, you owe it to both yourself and especially your family to stay up to date on news about that. The world's bigger than just the US, some countries place more value on personal responsibility than others.

so in your world anyone that uses anything which is connected to the internet (which is basically everything) needs to be a cybersecurity engineer? :)

my dad (and most dads) will be pissed he can’t drive his EV or anything of the tech gadgets he likes cause he’s not technically qualified for ownership and responsibilities that comes with it…? that sounds reasonable :)

in this world I would say the very least business could do is put up a disclaimer on the product “requires PhD from Carnegie Melon to own”


Yeah, the only thing that might make D-Link's position here unreasonable is how long ago the devices hit EOL. Like if it was last week then they are being a bit petty if they don't issue a patch, but on the other hand if it was 10 years ago it is ridiculous to expect them to patch it. I couldn't find that info in the linked article (probably it's somewhere in between the two extremes I mentioned), but without knowing that context I can't really fault a vendor for saying "EOL means EOL, sorry".

> if it was 10 years ago it is ridiculous to expect them to patch it

I don't think even that is "ridiculous". It came out of the factory defective. This isn't about features or maintenance. How many years total would that be since last sale, still less than 15?


Also, how many hundreds of dollars would it really cost them to release an update, even if it was 15 years old?

For at least one remote access vulnerability reported earlier this year, D-Link declined to patch even though the device only hit EoL during the disclosure period, and was still within the EoS (end-of-service) date (which by D-link policy is EoL + 1 year):

https://supportannouncement.us.dlink.com/announcement/public...


I cannot identify who the aggrieved parties are, aside from bandwagoning D-Link haters.

These devices are end of life. Anyone running an EOL device doesn't care about security and probably wouldn't update the firmware if it was available.

For comparison, Apple does not update EOL devices outside exceptional circumstances. I never received a 20% discount to upgrade.


Unless these devices would auto-update, it also doesn't matter one bit. Sure HN users might go in and update their router, but the majority of users doesn't.

Whoever, because the are routers, that users will install and forget about, how are they even suppose to be made aware that these are end of life? D-Links, and other producers of consumer hardware, seems to think that it's fine to just EOL their products and say "go buy a new one". Being D-Link should be much harder than being Cisco. At least Cisco can assume that their customers are keeping up with product information, patches and so on. What is D-Links plan for informing users that their product is no longer secure? I don't think they have one and that pretty irresponsibility because they should know that the majority of their customers aren't all that technically savvy.

I don't know if D-Link devices automatically pulls update, my guess is that they don't, but there should at least be a on device indicator that this device is now EOL and should be used at the customers own risk. It fine to say that a device is EOL and no more updates will be made available, but they need to indicate to the customers that these devices are now at risk.


> These devices are end of life

If I told you that your fridge or car would be EOL in 5 years, and after that you should throw it away and buy a new one, you'd rightly laugh me out of the room.

I think it's worth taking a moment to consider why we let manufacturers get away with abandoning tech gadgets so quickly...


Last I checked most manufacturers have a limited time warranty on pretty much all appliances, especially short on low end appliances; after that you are on your own. So I don’t see your point here? The router can still route, but you know have a much bigger chance of it “failing” by being hacked. Equally so your refrigerator compressor can die easily after 5 years and the manufacturer won’t have to pay you a cent or try to repair it. You are truly on your own after the warranty

The big difference here is that there is an established network of 3rd parties who you can engage to put a new compressor in your fridge after the warranty expires.

No such supply chain exists to patch proprietary firmware/software after the support period.


Why do you think there is such a thing as 'D-Link haters'?

I don't hate D-Link (I don't care about them anywhere near enough to bother), but I think there's enough of a history of poor security practices to avoid their products...


Sure, but is EOL really a defense given the absolutely pathetic security posture that created this exploit in the first place? Is there a statute of limitations on mind boggling levels of incompetence?

I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"


We could have passed a law requiring minimum security standards but we didn't. The result was predictable and here it is.

While I don’t expect DLink to support every router indefinitely, there has to be a reasonable number of years, maybe the feds should set one and have the machine let the user know “you are outside of security time length and you are now easily attacked by hackers” for papaw and memaw. Also it’s profoundly unfair do say that is “bandwagoning d-link haters” and unfair to expect everyone to be a security power user.

How long should a consumer expect their modem to last? How long ago were they last being sold at retailers?

I think gadgets should have an EOL date on them, manufacturers might even start competing on who gives updates for longer.

Wait, has Apple ever exposed an end-point like this?

Do we know how they'd react if they ever did?


Your Mac is a network endpoint. It can easily be hacked after apple stops putting out security patches of your EOL’d air on your EOL’d d-link router



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: